I maintain a very small office network. Some of our people work far away, and
we need a way to share some of our files.
So I set up a webdav directory on the BSD/Apache server we are using for our
website. I made a folder available as a subdoman (for example, common.xyz.com)
and set up the necessary config file parameters for webdav in that directory.
Our staff can now connect via an XP or OSX network connection and treat the
directory as a folder on their computers.
However, I can navigate to the directory with my browser without using an ID or
password. I simply navigate to common.xyz.com, and I see all the files that are
in the directory. This was a big surprise, because users need to enter
id/password to connect by webdav. I realized that webdav requires that GET
headers must NOT require valid users - so any browser can get in.
So, I added an index.html file to the directory, and that effectively blocked
access to the files by browser. You would think that this solved the problem.
But no. I discovered one day that someone had deleted the index.html file.
Anyone with access to the directory can do that.
So I tried to set unix permissions to prevent deletion of the file. Nothing I
did worked. I disabled write permission on the file for all users, but people
could still delete it. I think that I would have to disable write permission
for the whole directory to prevent file deletion. But that's not feasible,
since my users need to delete other files.
Does anyone have any idea how I can either 1) set a rule on the file so it
cannot be deleted (but the other files can be), or 2) keep browsers out of the
directory, or 3) implement something that's more secure than webdav, but is
simple (I don't want to do VPN, for example).
Thank you
